Title: Security in 'NET
1Security in .NET
2What are we to talk about?
- Security A-B-C
- Security on the client
- Evidences
- Policys
- Permissions
- Security on the server
- ASP.NET
- Security on the network
- Cryptography
- Web Service security (will be covered in next
session)
3What are we to talk about?
- Security A-B-C
- Security on the client
- Evidences
- Policys
- Permissions
- Security on the server
- ASP.NET
- Security on the network
- Cryptography
- Web Service security (will be covered in next
session)
4What is security all about?
- Identification
- Authentication
- Authorization
- Integrity
- Confidentiality
- Non-repudiation
5Key Semi-Trust Scenarios
- OS security is based on user rights
- CLR security, layered on OS security, gives
rights to code
6Verification
- Security enforceable on well-behaved code
- Without verification, arbitrary code can subvert
security mechanisms - Verification rules are safe, may falsely reject
- Code is verified to be memory type safe
- Only access objects via well-defined interfaces
- No unsafe casts, no access beyond array bounds,
etc. - No stack underflow/overflow conditions
- Verification is great for general code quality
- Verifiability depends on the compiler/language
7Evidence-Based Security
- Evidence
- Inputs to policy about code
- Extensible by design
- Policy
- Determines what code can do
- Grants permissions to an assembly
- Permissions
- Specific authorizations
- Define a level of access to a resource
8Evidence Types
- Related to where the code was loaded from
- URL
- Site
- Zone
- Application Directory
- Related to who wrote the code
- Strong Name
- Publisher
- Arithmetic calculation of overall contents
- Hash
9Hierarchical Policy Levels
- CLR supports multiple, ordered policy levels
- Enterprise common policy for organization
- Machine policy for all users of given machine
- User policy specific to logged in user
- A policy contains
- Code Groups
- Permission Sets
- Policy Assemblies
- Effective policy is the intersection of all levels
10Code Group fundamentals
- Two linked rules
- What assemblies are members?
- What permissions should they be granted?
- Code groups can be composed by unions
11Changing Policies
- Changing Policy
- Done by Administrators
- Limit what you trust
- When in doubt omit permissions
- Trust a particular server or a particular strong
name
12Assembly Input To Policy
- Assembly may have permission requests
- Minimum, Optional, Refuse
- If unspecified, Minimum Refuse default to the
empty set, Optional defaults to everything - Load fails if policy does not grant Minimal
- Assembly is granted
- (MaxAllowed ? (Minimum ? Optional)) Refused
- In the default case (no requests) this reduces to
MaxAllowed
13Permissions
- A permission is a set (or subset) of capabilities
- The right to interact with a given resource
- All permissions implement union, intersection,
and subset operations - Load time and run time security checks
- Declarative security operations are made by
annotating source code, appear in metadata - Imperative security operations are performed via
object creation and method invocation - Stack walks guards against Luring attacks
- Overridable with Asserts
14Stack-walking Semantics
P is compared with grants of all callers on the
stack above M4
15Assert() can modify stack-walks
16Permissions Protect Resources
- FileIO
- FileDialog
- IsolatedStorage
- Environment
- Registry
- UI
- Printing
- Reflection
- Security
- Socket
- Web
- DNS
- OleDb
- SQLClient
- MessageQueue
- EventLog
- DirectoryServices
- extensible
Execution, Assertion, Skip Verification,
Unmanaged code, Control evidence, Control policy,
Control principal, Control threads
17Putting It All Together
Assembly A3
Host
Security Policy
Policy Evaluator
18Managed Code Execution
DEVELOPMENT
Source code
Assembly Metadataand IL
public static void Main(String args ) String
usr FileStream f StreamWriter w try
usrEnvironment.GetEnvironmentVariable("USERNAME")
fnew FileStream(C\\test.txt",FileMode.Cre
ate) wnew StreamWriter(f)
w.WriteLine(usr) w.Close() catch
(Exception e) Console.WriteLine("Exception"
e.ToString())
Compiler
public static void Main(String args ) String
usr FileStream f StreamWriter w try
usrEnvironment.GetEnvironmentVariable("USERNAME")
fnew FileStream(C\\test.txt",FileMode.Cre
ate) wnew StreamWriter(f)
w.WriteLine(usr) w.Close() catch
(Exception e) Console.WriteLine("Exception"
e.ToString())
19Extending the Policy System
- Custom Permissions
- App defined authorization for a resource
- Easy integration with policy
- Custom Code Groups Membership Conditions
- Implement new Code Group logic
- Dynamic permission set computation
- Alter default combining logic
- Custom Evidence
- Create embedded evidence (e.g. certifications)
- Evidence from trusted hosts
20What are we to talk about?
- Security A-B-C
- Security on the client
- Evidences
- Policys
- Permissions
- Security on the server
- ASP.NET
- Security on the network
- Cryptography
- Web Service security (will be covered in next
session)
21Security on the server
- Authentication and authorization
- Extensible and customizable
- Authentication scheme transparency
- Simple deployment model
- Support for granular declarative and imperative
authorizations - Supports application layer security
22ASP Architecture
Internet Information Server
ISAPI Filters
ISAPI Extensions
ASP.DLL
Script Execution
ASPScript Engine
Script Code
Script EngineCache
.ASP file
23ASP.NET Architecture
ASP.NET HTTP Runtime
Modules
Page Handlers
ASPXEngine
ClassInstance
ASP.NET page
Page Class
24Process Identity
- Windows 2000
- Default is ASPNET (local service account)
- Can also run as System or configured account
using ltprocessModelgt - Windows .NET Server
- Uses IIS 6 process model
- Default is NetworkService
- App Pools are configurable, identity is
configurable
25Request identity
- Impersonation
- Running under the security context of the request
entity - Configurable in ASP.NET
- Enable for ASP compatible behavior
ltsystem.webgt ltidentity impersonate"true"
/gt lt/system.webgt
26ASP .NET Request Processing
- Per Request Events
- BeginRequest
- AuthenticateRequest
- AuthorizeRequest
- ResolveRequestCache
- AcquireRequestState
- PreRequestHandlerExecute
- lthandler executes heregt
- PostRequestHandlerExecute
- ReleaseRequestState
- UpdateRequestCache
- EndRequest
ASP.NET Page
ASP.NET Service
HTTP Handler
Application
HTTP Module
HTTP Module
Global.asax
HttpContext
ASP.NET Runtime
Host (IIS)
27Authentication
- ASP.NET is an ISAPI extension
- Only receives requests for mapped content
- Windows Authentication (via IIS)
- Basic, Digest, NTLM, Kerberos, Certificate
Support - Leverages platform authentication
- Forms-based (Cookie) Authentication
- Application credential verification
- Supports Microsoft Passport Authentication
- Custom Authentication
28Microsoft Passport
- Single sign-in across member sites
- Integrated into ASP.NET authentication
- Requires Passport SDK installation
- ASP.NET wraps
- IPassportManager
- IPassportManager2
- IPassportCrypt
- More details at
- http//www.passport.com
- Passport support built into IIS 6
29Forms-Based Auth
- Easy to implement
- ASP.NET provides redirection
- Steps
- Configure IIS to allow anonymous users
(typically) - Use SSL!
- Configure ASP.NET cookie authentication
- Write your login page
30Forms authentication
31Forms Auth Configuration
ltauthentication mode "Forms"gt ltforms
name".ASPXAUTH" loginUrl"login.aspx
" protection"All"
timeout"30" path"/"
/gt lt/authenticationgt
32Authorization Strategies
- Windows Security and ACLs
- ACLs checked for Windows auth
- Independent of impersonation
- COM Roles
- URL Authorization
- Custom Authorization
- Windows .NET AuthZ Framework
- Explicit imperative/declarative checks
33Using URL Authorization
- Example allow Admins or WebServiceUsers and
deny all others - Example deny anonymous users
lt!-- is all users, ? is anonymous users
--gt ltauthorizationgt ltallow verbs"POST"
Roles"Admins" /gt ltallow Roles"WebServiceUsers"
/gt ltdeny users"" /gt lt/authorizationgt
ltauthorizationgt ltdeny users"?"
/gt lt/authorizationgt
34Custom security
- Handle appropriate event
- Application level (global.asax) or
- Http Module (implement IHttpModule)
- Authentication AuthenticateRequest
- Custom SOAP authentication
- Authorization AuthorizeRequest
- Implement per-request billing system
- Restrict access based on business rules
35What are we to talk about?
- Security A-B-C
- Security on the client
- Evidences
- Policys
- Permissions
- Security on the server
- ASP.NET
- Security on the network
- Cryptography
- Web Service security (will be covered in next
session)
36Terminology
- Plaintext
- The stuff you want to secure, typically readable
by humans (email) or computers (software, order) - Ciphertext
- Unreadable, secure data that must be decrypted
- Key
- You must have it to encrypt or decrypt (or do
both) - Crypto-analysis
- Hacking it by using science
- Complexity Theory
- How hard is it and how long will it take to run a
program
37Cryptographic Ciphers
- Symmetric Cipher 1 Key
- Used for encryption and decryption
- Key is vulnerable if transmitted
- Does not support repudiation
- Examples
- Triple DES (64bit)
- AES (variable key size)
Text
Ciphertext
A
XX
38Cryptography Ciphers
- Asymmetric Cipher non-matching keys
- One key for encryption
- One key for decryption
- Does not require exchange of keys
- Examples
- RSA (variable key size)
Text
Ciphertext
Text
A
A
XX
39Digital Signatures
- Enables integrity and non-repudiation
- RSA, DSA or HMAC (symmetric key)
- Relies on Hashing
- Secure Hash Algorithm (SHA)
- SHA1 creates a 20 byte digest of any binary data
(2160)
Public Key
RSA Private Key
Text
Signed Digest
SHA
Digest
xsd.
A
xsd.
xsd.
A
40Cryptographic APIs
- Comprehensive cryptographic library
- Easy, unified, stream-based architecture
- System.Security.Cryptography
- Common algorithms
- Hashing SHA-1, SHA-256/-384/-512, MD5
- Asymmetric RSA, DSA
- Symmetric AES, TripleDES, DES, RC2
- MAC HMAC-SHA1, MACTripleDES
- Open extensible model (new algorithms)
41Crypto Object Model
Symmetric Algorithm
AbstractBase Classes (only one shown)
TripleDES
Rijndael
RC2
Abstract Algorithm Classes
Algorithm Implementation Classes
TripleDESCrypto ServiceProvider (CryptoAPI)
Rijndael Managed (C)
RC2Crypto ServiceProvider
42Sample Hashing RNGs
- Simple programming model
- Common functions accessible as single method
calls on algorithm objects - Runtime adaptation based on config system
- You choose the default implementation
Dim rng As RandomNumberGenerator
RandomNumberGenerator.Create() Dim bytes As
Byte() new Byte(128) rng.GetBytes(bytes)
Dim hash As SHA256 SHA256.Create() Dim digest
As Byte() hash.ComputeHash(inputData)
43Encryption
- Instantiate the algorithm
- SymmetricAlgorithm alg SymmetricAlgorithm.Create
(DES) - Generate a key
- byte myNewKey alg.Key
- Encode your data
- string message "Top secret data..."
- byte plain Encoding.UTF8.GetBytes(message)
- Perform the encryption
- ICryptoTransform enc alg.CreateEncryptor()
- byte cipher
- cipher enc.TransformFinalBlock(plain, 0,
plain.Length)
44Decryption
- Instantiate the algorithm
- SymmetricAlgorithm alg SymmetricAlgorithm.Create
(DES) - Obtain the key
- alg.Key theKey
- Perform the decryption
- ICryptoTransform dec alg.CreateDecryptor()
- byte plain
- plain dec.TransformFinalBlock(cipher, 0,
cipher.Length) - Decode the data
- string plainText Encoding.UTF8.GetString(plain)
45What have we talked about?
- Security A-B-C
- Security on the client
- Evidences
- Policys
- Permissions
- Security on the server
- ASP.NET
- Security on the network
- Cryptography
46Recommended reading
- Applied Cryptography
- Bruce Schneier
- ISBN 0-4711-1709-9
- Writing Secure Code
- Michael Howard, David Leblanc
- ISBN 0-7356-1588-8
- The Code Book
- Simon Singh
- ISBN 0-3854-9532-3
47(No Transcript)